-= Per source details. Do not edit below this line.=-
momenntjs is a typosquat of momentjs whose package.json postinstall hook runs node.init.js. On npm install,.init.js enumerates roughly 60 credential-shaped environment variables (including NPMTOKEN, GITHUBTOKEN, AWSSECRETACCESSKEY, STRIPE*, DBPASSWORD, SSHKEY, GCP/AZURE/Cloudflare tokens, and TWINE credentials) and reads home-directory credential files including ~/.npmrc, ~/.env*, config/credentials.json, and files under ~/.config matching token/cred/secret patterns. It also collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid) and POSTs the combined JSON payload to a hardcoded webhook.cool inbox at tender-deer-80. The package provides no legitimate functionality matching its name.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "6aae445dd0b77bd7409820067097404e4ccb16d658e7911c7c4e659146fdfad4",
"id": "IN-MAL-2026-010518",
"import_time": "2026-07-14T14:37:52.739265241Z",
"modified_time": "2026-07-14T14:00:27Z",
"versions": [
"1.0.0"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/momenntjs/MAL-2026-10588.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-nc6IjJ3B1qCdot2NpGBdNmQmpeago71/INfI/2JBYHLVWFhiW+sk/uIZh31KXXkSI6WMkHODZbP9Ro4ePtwWVw==",
"sha1": "d13a1a38466774751475d48e101671d4b3c8ba77"
},
"filename": "momenntjs-1.0.0.tgz"
}
],
"evidence_files": [
{
"path": ".init.js",
"sha256": "6eb3939e40f85d1c3f591a3cd3a3edf0fd00c9b09fd7cb48f62e11edca3219b2",
"tlsh": "d9513181849e521310db2af168034c00a67ee59b3435e6e17e8f02249fddc6c85b3fbd"
}
]
}